420938 – Microsoft Purview compliance portal: Insider Risk Management – Entra compromised user signals in IRM

Product:

Entra, Purview, Purview Communication Compliance, Purview compliance portal, Purview Information Protection, Purview Insider Risk Management

Platform:

US Instances, Web, World tenant

Status:

Launched

Change type:

Links:

MC1006621

Details:

With this feature, IRM analysts can identify if the user being investigated has any compromised user alerts in Microsoft Entra. This will help them formulate the right response action, like escalating the Incident to SOC teams for quick remediation, etc. Microsoft Entra offers two types of compromised user detections. 1. Sign in risk detections: compromise risk associated with a specific sign-in. 2. User risk detections: compromise risk associated with a specific user. Insider risk management admins can opt into each of the above risk detections from Insider risk management global settings. Risk detections will be available in the indicator timeline within the alert investigation experience. Risk detections will not impact the risk score or severity of Insider risk management alerts. Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
Preview, General Availability

Created:
2024-10-09

updated:
2026-01-21

Public Preview Start Date

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

More Info URL

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Please, look at the most relevant linked item for details

explanation for non-techies**

Imagine you're running a large office building with multiple entry points and hundreds of employees coming in and out every day. To ensure security, you have security guards at each entrance, surveillance cameras, and a system that logs every entry and exit. Now, let's say you have a special team whose job is to watch for any unusual behavior, like someone trying to enter a restricted area or using someone else's ID card.

In the IT world, Microsoft Purview's Insider Risk Management (IRM) is like that special team. It's designed to monitor and identify potential risks from within an organization, such as employees accidentally or intentionally leaking sensitive information. Microsoft Entra is like the surveillance system that provides alerts when there's a potential security issue, such as someone trying to access the system from an unusual location or using a compromised password.

The new feature in Microsoft Purview allows the IRM team to see if there are any alerts from Microsoft Entra about a user being investigated. This is similar to your security team being notified if someone has tried to enter the building with a suspicious ID card. These alerts help the IRM team decide on the best course of action, like notifying the security operations center (SOC) for further investigation.

Microsoft Entra provides two types of alerts: one for specific sign-ins that seem risky, like someone trying to log in from a different country, and another for users who show signs of being compromised, like having their password stolen. The IRM team can choose to receive these alerts to better understand potential risks.

These alerts don't change the overall risk score of an employee but provide additional context to help the IRM team make informed decisions. Just like in the office building, where knowing someone tried to use a fake ID might not immediately label them as a threat but certainly warrants a closer look.

Additionally, Microsoft Purview is designed with privacy in mind. It's like having a security system that ensures the privacy of employees by not revealing personal details unless absolutely necessary. This is achieved through pseudonymization, which means that users' identities are masked, and only those with the right permissions can access detailed information.

In summary, this feature in Microsoft Purview helps organizations better manage insider risks by integrating alerts from Microsoft Entra, much like a security team using multiple sources of information to keep a building safe.